From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-21.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 446E8C43217 for ; Thu, 21 Jan 2021 02:09:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1CDD12388C for ; Thu, 21 Jan 2021 02:09:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728795AbhAUAwx (ORCPT ); Wed, 20 Jan 2021 19:52:53 -0500 Received: from mail.kernel.org ([198.145.29.99]:53188 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731633AbhAUAD2 (ORCPT ); Wed, 20 Jan 2021 19:03:28 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id C55DB2368A; Thu, 21 Jan 2021 00:01:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1611187313; bh=Eh0u5i8AW4x9ntLsFlUAc6rlbY2JykroCggN1fE25ec=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=gZ2nE1nWc5IEdueOVVKR9vTP5loybR/I49ORFIwya9nGkp8IRtTWQXNmdnpsV9SHt IbC4NVTSRTaW/UTjXdq3t02Fixqlc484JqdK3sdr59lnUVQTR5HL2nmYDC4pzq1Zdl qtVGeiJMy2stNYuVaJGshQIh1w82JdOV4Txew7VIhlSAW1jXPry/NY4csB5Ch2gHbo UifuHCqGdSgu/kcRvIlwwIsX4+vTLbjmba7Rh6/dmaKun51d+pSOHgGzYj48BPQMmL N8XAe+Ze+T3z+dF15H49ScwHfVm4IiTfiLegna6iqRUOAFensVr6vH+u3F/YwcZ+rf 3owAiDsd4Zxqg== Date: Thu, 21 Jan 2021 02:01:46 +0200 From: Jarkko Sakkinen To: Sumit Garg Cc: Jarkko Sakkinen , Mimi Zohar , James Bottomley , David Howells , Jens Wiklander , Jonathan Corbet , James Morris , "Serge E. Hallyn" , Casey Schaufler , Janne Karhunen , Daniel Thompson , Markus Wamser , Luke Hinds , "open list:ASYMMETRIC KEYS" , linux-integrity@vger.kernel.org, "open list:SECURITY SUBSYSTEM" , Linux Doc Mailing List , Linux Kernel Mailing List , linux-arm-kernel , op-tee@lists.trustedfirmware.org Subject: Re: [PATCH v8 2/4] KEYS: trusted: Introduce TEE based Trusted Keys Message-ID: References: <1604419306-26105-1-git-send-email-sumit.garg@linaro.org> <1604419306-26105-3-git-send-email-sumit.garg@linaro.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org On Wed, Jan 20, 2021 at 12:53:28PM +0530, Sumit Garg wrote: > On Wed, 20 Jan 2021 at 07:01, Jarkko Sakkinen wrote: > > > > On Tue, Jan 19, 2021 at 12:30:42PM +0200, Jarkko Sakkinen wrote: > > > On Fri, Jan 15, 2021 at 11:32:31AM +0530, Sumit Garg wrote: > > > > On Thu, 14 Jan 2021 at 07:35, Jarkko Sakkinen wrote: > > > > > > > > > > On Wed, Jan 13, 2021 at 04:47:00PM +0530, Sumit Garg wrote: > > > > > > Hi Jarkko, > > > > > > > > > > > > On Mon, 11 Jan 2021 at 22:05, Jarkko Sakkinen wrote: > > > > > > > > > > > > > > On Tue, Nov 03, 2020 at 09:31:44PM +0530, Sumit Garg wrote: > > > > > > > > Add support for TEE based trusted keys where TEE provides the functionality > > > > > > > > to seal and unseal trusted keys using hardware unique key. > > > > > > > > > > > > > > > > Refer to Documentation/tee.txt for detailed information about TEE. > > > > > > > > > > > > > > > > Signed-off-by: Sumit Garg > > > > > > > > > > > > > > I haven't yet got QEMU environment working with aarch64, this produces > > > > > > > just a blank screen: > > > > > > > > > > > > > > ./output/host/usr/bin/qemu-system-aarch64 -M virt -cpu cortex-a53 -smp 1 -kernel output/images/Image -initrd output/images/rootfs.cpio -serial stdio > > > > > > > > > > > > > > My BuildRoot fork for TPM and keyring testing is located over here: > > > > > > > > > > > > > > https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/buildroot-tpmdd.git/ > > > > > > > > > > > > > > The "ARM version" is at this point in aarch64 branch. Over time I will > > > > > > > define tpmdd-x86_64 and tpmdd-aarch64 boards and everything will be then > > > > > > > in the master branch. > > > > > > > > > > > > > > To create identical images you just need to > > > > > > > > > > > > > > $ make tpmdd_defconfig && make > > > > > > > > > > > > > > Can you check if you see anything obviously wrong? I'm eager to test this > > > > > > > patch set, and in bigger picture I really need to have ready to run > > > > > > > aarch64 environment available. > > > > > > > > > > > > I would rather suggest you to follow steps listed here [1] as to test > > > > > > this feature on Qemu aarch64 we need to build firmwares such as TF-A, > > > > > > OP-TEE, UEFI etc. which are all integrated into OP-TEE Qemu build > > > > > > system [2]. And then it would be easier to migrate them to your > > > > > > buildroot environment as well. > > > > > > > > > > > > [1] https://lists.trustedfirmware.org/pipermail/op-tee/2020-May/000027.html > > > > > > [2] https://optee.readthedocs.io/en/latest/building/devices/qemu.html#qemu-v8 > > > > > > > > > > > > -Sumit > > > > > > > > > > Can you provide 'keyctl_change'? Otherwise, the steps are easy to follow. > > > > > > > > > > > > > $ cat keyctl_change > > > > diff --git a/common.mk b/common.mk > > > > index aeb7b41..663e528 100644 > > > > --- a/common.mk > > > > +++ b/common.mk > > > > @@ -229,6 +229,7 @@ BR2_PACKAGE_OPTEE_TEST_SDK ?= $(OPTEE_OS_TA_DEV_KIT_DIR) > > > > BR2_PACKAGE_OPTEE_TEST_SITE ?= $(OPTEE_TEST_PATH) > > > > BR2_PACKAGE_STRACE ?= y > > > > BR2_TARGET_GENERIC_GETTY_PORT ?= $(if > > > > $(CFG_NW_CONSOLE_UART),ttyAMA$(CFG_NW_CONSOLE_UART),ttyAMA0) > > > > +BR2_PACKAGE_KEYUTILS := y > > > > > > > > # All BR2_* variables from the makefile or the environment are appended to > > > > # ../out-br/extra.conf. All values are quoted "..." except y and n. > > > > diff --git a/kconfigs/qemu.conf b/kconfigs/qemu.conf > > > > index 368c18a..832ab74 100644 > > > > --- a/kconfigs/qemu.conf > > > > +++ b/kconfigs/qemu.conf > > > > @@ -20,3 +20,5 @@ CONFIG_9P_FS=y > > > > CONFIG_9P_FS_POSIX_ACL=y > > > > CONFIG_HW_RANDOM=y > > > > CONFIG_HW_RANDOM_VIRTIO=y > > > > +CONFIG_TRUSTED_KEYS=y > > > > +CONFIG_ENCRYPTED_KEYS=y > > > > > > > > > After I've successfully tested 2/4, I'd suggest that you roll out one more > > > > > version and CC the documentation patch to Elaine and Mini, and clearly > > > > > remark in the commit message that TEE is a standard, with a link to the > > > > > specification. > > > > > > > > > > > > > Sure, I will roll out the next version after your testing. > > > > > > Thanks, I'll try this at instant, and give my feedback. > > > > I bump into this: > > > > $ make run-only > > ln -sf /home/jarkko/devel/tpm/optee/build/../out-br/images/rootfs.cpio.gz /home/jarkko/devel/tpm/optee/build/../out/bin/ > > ln: failed to create symbolic link '/home/jarkko/devel/tpm/optee/build/../out/bin/': No such file or directory > > make: *** [Makefile:194: run-only] Error 1 > > > > Could you check if the following directory tree is built after > executing the below command? > > $ make -j`nproc` > CFG_IN_TREE_EARLY_TAS=trusted_keys/f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c > > $ tree out/bin/ > out/bin/ > ├── bl1.bin -> /home/sumit/build/optee/build/../trusted-firmware-a/build/qemu/release/bl1.bin > ├── bl2.bin -> /home/sumit/build/optee/build/../trusted-firmware-a/build/qemu/release/bl2.bin > ├── bl31.bin -> > /home/sumit/build/optee/build/../trusted-firmware-a/build/qemu/release/bl31.bin > ├── bl32.bin -> > /home/sumit/build/optee/build/../optee_os/out/arm/core/tee-header_v2.bin > ├── bl32_extra1.bin -> > /home/sumit/build/optee/build/../optee_os/out/arm/core/tee-pager_v2.bin > ├── bl32_extra2.bin -> > /home/sumit/build/optee/build/../optee_os/out/arm/core/tee-pageable_v2.bin > ├── bl33.bin -> > /home/sumit/build/optee/build/../edk2/Build/ArmVirtQemuKernel-AARCH64/RELEASE_GCC49/FV/QEMU_EFI.fd > ├── Image -> /home/sumit/build/optee/build/../linux/arch/arm64/boot/Image > └── rootfs.cpio.gz -> > /home/sumit/build/optee/build/../out-br/images/rootfs.cpio.gz > > 0 directories, 9 files > > -Sumit I actually spotted a build error that was unnoticed last time: make[2]: Entering directory '/home/jarkko/devel/tpm/optee/edk2/BaseTools/Tests' /bin/sh: 1: python: not found I'd prefer not to install Python2. It has been EOL over a year. /Jarkko From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jarkko Sakkinen To: op-tee@lists.trustedfirmware.org Subject: Re: [PATCH v8 2/4] KEYS: trusted: Introduce TEE based Trusted Keys Date: Thu, 21 Jan 2021 02:01:46 +0200 Message-ID: In-Reply-To: < > MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2873421436093865273==" List-Id: --===============2873421436093865273== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Wed, Jan 20, 2021 at 12:53:28PM +0530, Sumit Garg wrote: > On Wed, 20 Jan 2021 at 07:01, Jarkko Sakkinen wrote: > > > > On Tue, Jan 19, 2021 at 12:30:42PM +0200, Jarkko Sakkinen wrote: > > > On Fri, Jan 15, 2021 at 11:32:31AM +0530, Sumit Garg wrote: > > > > On Thu, 14 Jan 2021 at 07:35, Jarkko Sakkinen w= rote: > > > > > > > > > > On Wed, Jan 13, 2021 at 04:47:00PM +0530, Sumit Garg wrote: > > > > > > Hi Jarkko, > > > > > > > > > > > > On Mon, 11 Jan 2021 at 22:05, Jarkko Sakkinen wrote: > > > > > > > > > > > > > > On Tue, Nov 03, 2020 at 09:31:44PM +0530, Sumit Garg wrote: > > > > > > > > Add support for TEE based trusted keys where TEE provides the= functionality > > > > > > > > to seal and unseal trusted keys using hardware unique key. > > > > > > > > > > > > > > > > Refer to Documentation/tee.txt for detailed information about= TEE. > > > > > > > > > > > > > > > > Signed-off-by: Sumit Garg > > > > > > > > > > > > > > I haven't yet got QEMU environment working with aarch64, this p= roduces > > > > > > > just a blank screen: > > > > > > > > > > > > > > ./output/host/usr/bin/qemu-system-aarch64 -M virt -cpu cortex-a= 53 -smp 1 -kernel output/images/Image -initrd output/images/rootfs.cpio -seri= al stdio > > > > > > > > > > > > > > My BuildRoot fork for TPM and keyring testing is located over h= ere: > > > > > > > > > > > > > > https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/buildroo= t-tpmdd.git/ > > > > > > > > > > > > > > The "ARM version" is at this point in aarch64 branch. Over time= I will > > > > > > > define tpmdd-x86_64 and tpmdd-aarch64 boards and everything wil= l be then > > > > > > > in the master branch. > > > > > > > > > > > > > > To create identical images you just need to > > > > > > > > > > > > > > $ make tpmdd_defconfig && make > > > > > > > > > > > > > > Can you check if you see anything obviously wrong? I'm eager to= test this > > > > > > > patch set, and in bigger picture I really need to have ready to= run > > > > > > > aarch64 environment available. > > > > > > > > > > > > I would rather suggest you to follow steps listed here [1] as to = test > > > > > > this feature on Qemu aarch64 we need to build firmwares such as T= F-A, > > > > > > OP-TEE, UEFI etc. which are all integrated into OP-TEE Qemu build > > > > > > system [2]. And then it would be easier to migrate them to your > > > > > > buildroot environment as well. > > > > > > > > > > > > [1] https://lists.trustedfirmware.org/pipermail/op-tee/2020-May/0= 00027.html > > > > > > [2] https://optee.readthedocs.io/en/latest/building/devices/qemu.= html#qemu-v8 > > > > > > > > > > > > -Sumit > > > > > > > > > > Can you provide 'keyctl_change'? Otherwise, the steps are easy to f= ollow. > > > > > > > > > > > > > $ cat keyctl_change > > > > diff --git a/common.mk b/common.mk > > > > index aeb7b41..663e528 100644 > > > > --- a/common.mk > > > > +++ b/common.mk > > > > @@ -229,6 +229,7 @@ BR2_PACKAGE_OPTEE_TEST_SDK ?=3D $(OPTEE_OS_TA_DEV= _KIT_DIR) > > > > BR2_PACKAGE_OPTEE_TEST_SITE ?=3D $(OPTEE_TEST_PATH) > > > > BR2_PACKAGE_STRACE ?=3D y > > > > BR2_TARGET_GENERIC_GETTY_PORT ?=3D $(if > > > > $(CFG_NW_CONSOLE_UART),ttyAMA$(CFG_NW_CONSOLE_UART),ttyAMA0) > > > > +BR2_PACKAGE_KEYUTILS :=3D y > > > > > > > > # All BR2_* variables from the makefile or the environment are appen= ded to > > > > # ../out-br/extra.conf. All values are quoted "..." except y and n. > > > > diff --git a/kconfigs/qemu.conf b/kconfigs/qemu.conf > > > > index 368c18a..832ab74 100644 > > > > --- a/kconfigs/qemu.conf > > > > +++ b/kconfigs/qemu.conf > > > > @@ -20,3 +20,5 @@ CONFIG_9P_FS=3Dy > > > > CONFIG_9P_FS_POSIX_ACL=3Dy > > > > CONFIG_HW_RANDOM=3Dy > > > > CONFIG_HW_RANDOM_VIRTIO=3Dy > > > > +CONFIG_TRUSTED_KEYS=3Dy > > > > +CONFIG_ENCRYPTED_KEYS=3Dy > > > > > > > > > After I've successfully tested 2/4, I'd suggest that you roll out o= ne more > > > > > version and CC the documentation patch to Elaine and Mini, and clea= rly > > > > > remark in the commit message that TEE is a standard, with a link to= the > > > > > specification. > > > > > > > > > > > > > Sure, I will roll out the next version after your testing. > > > > > > Thanks, I'll try this at instant, and give my feedback. > > > > I bump into this: > > > > $ make run-only > > ln -sf /home/jarkko/devel/tpm/optee/build/../out-br/images/rootfs.cpio.gz= /home/jarkko/devel/tpm/optee/build/../out/bin/ > > ln: failed to create symbolic link '/home/jarkko/devel/tpm/optee/build/..= /out/bin/': No such file or directory > > make: *** [Makefile:194: run-only] Error 1 > > >=20 > Could you check if the following directory tree is built after > executing the below command? >=20 > $ make -j`nproc` > CFG_IN_TREE_EARLY_TAS=3Dtrusted_keys/f04a0fe7-1f5d-4b9b-abf7-619b85b4ce8c >=20 > $ tree out/bin/ > out/bin/ > =E2=94=9C=E2=94=80=E2=94=80 bl1.bin -> /home/sumit/build/optee/build/../tru= sted-firmware-a/build/qemu/release/bl1.bin > =E2=94=9C=E2=94=80=E2=94=80 bl2.bin -> /home/sumit/build/optee/build/../tru= sted-firmware-a/build/qemu/release/bl2.bin > =E2=94=9C=E2=94=80=E2=94=80 bl31.bin -> > /home/sumit/build/optee/build/../trusted-firmware-a/build/qemu/release/bl31= .bin > =E2=94=9C=E2=94=80=E2=94=80 bl32.bin -> > /home/sumit/build/optee/build/../optee_os/out/arm/core/tee-header_v2.bin > =E2=94=9C=E2=94=80=E2=94=80 bl32_extra1.bin -> > /home/sumit/build/optee/build/../optee_os/out/arm/core/tee-pager_v2.bin > =E2=94=9C=E2=94=80=E2=94=80 bl32_extra2.bin -> > /home/sumit/build/optee/build/../optee_os/out/arm/core/tee-pageable_v2.bin > =E2=94=9C=E2=94=80=E2=94=80 bl33.bin -> > /home/sumit/build/optee/build/../edk2/Build/ArmVirtQemuKernel-AARCH64/RELEA= SE_GCC49/FV/QEMU_EFI.fd > =E2=94=9C=E2=94=80=E2=94=80 Image -> /home/sumit/build/optee/build/../linux= /arch/arm64/boot/Image > =E2=94=94=E2=94=80=E2=94=80 rootfs.cpio.gz -> > /home/sumit/build/optee/build/../out-br/images/rootfs.cpio.gz >=20 > 0 directories, 9 files >=20 > -Sumit I actually spotted a build error that was unnoticed last time: make[2]: Entering directory '/home/jarkko/devel/tpm/optee/edk2/BaseTools/Test= s' /bin/sh: 1: python: not found I'd prefer not to install Python2. It has been EOL over a year. /Jarkko --===============2873421436093865273==-- From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C767C433E0 for ; Thu, 21 Jan 2021 00:03:31 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0CACB23715 for ; Thu, 21 Jan 2021 00:03:31 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0CACB23715 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID: Subject:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=Gzl6Wz7Z+8r3DYfXr0P6u3qHxSzvKRfK43DqnpZjLuA=; b=KucbmLjhyWzri/iF9AFPmv6Zo DELTaS4tJw5EFuhepfwHIYh0OcDQKCgkp4qu17PzaX4TasAIj6zFbxqzpR9fVpSiVonbJimb4a6yE l/PjTKDbolQO+m+8q69ZY5kpWL31/gZPM1tLK3tJqUzRylbuV2PlNE4PQFHSZT6qC9E1N0Vy2TSTn 13lq4ZgVts3X35jwq9BSwYaARCtq6xy+4eO913ONQbe+p3NcZgS2rng0XL5zbD7Hk54gA1oIeyNHU ybDfhkTFFVivX+D7bdqdC945AmlYNUzwfi5LlswvYqvlPCANX4s6pi0RRX5Mg7z7620NfaD/Vns9x PjsWclE+A==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1l2NQD-00016F-79; Thu, 21 Jan 2021 00:01:57 +0000 Received: from mail.kernel.org ([198.145.29.99]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1l2NQA-00015Z-Gc for linux-arm-kernel@lists.infradead.org; Thu, 21 Jan 2021 00:01:55 +0000 Received: by mail.kernel.org (Postfix) with ESMTPSA id C55DB2368A; Thu, 21 Jan 2021 00:01:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1611187313; bh=Eh0u5i8AW4x9ntLsFlUAc6rlbY2JykroCggN1fE25ec=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=gZ2nE1nWc5IEdueOVVKR9vTP5loybR/I49ORFIwya9nGkp8IRtTWQXNmdnpsV9SHt IbC4NVTSRTaW/UTjXdq3t02Fixqlc484JqdK3sdr59lnUVQTR5HL2nmYDC4pzq1Zdl qtVGeiJMy2stNYuVaJGshQIh1w82JdOV4Txew7VIhlSAW1jXPry/NY4csB5Ch2gHbo UifuHCqGdSgu/kcRvIlwwIsX4+vTLbjmba7Rh6/dmaKun51d+pSOHgGzYj48BPQMmL N8XAe+Ze+T3z+dF15H49ScwHfVm4IiTfiLegna6iqRUOAFensVr6vH+u3F/YwcZ+rf 3owAiDsd4Zxqg== Date: Thu, 21 Jan 2021 02:01:46 +0200 From: Jarkko Sakkinen To: Sumit Garg Subject: Re: [PATCH v8 2/4] KEYS: trusted: Introduce TEE based Trusted Keys Message-ID: References: <1604419306-26105-1-git-send-email-sumit.garg@linaro.org> <1604419306-26105-3-git-send-email-sumit.garg@linaro.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210120_190154_679306_F6E9382E X-CRM114-Status: GOOD ( 35.30 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "open list:SECURITY SUBSYSTEM" , Daniel Thompson , op-tee@lists.trustedfirmware.org, Jonathan Corbet , James Bottomley , Janne Karhunen , Linux Doc Mailing List , James Morris , Mimi Zohar , Linux Kernel Mailing List , David Howells , Luke Hinds , "open list:ASYMMETRIC KEYS" , Jarkko Sakkinen , Markus Wamser , Casey Schaufler , linux-integrity@vger.kernel.org, Jens Wiklander , linux-arm-kernel , "Serge E. Hallyn" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org T24gV2VkLCBKYW4gMjAsIDIwMjEgYXQgMTI6NTM6MjhQTSArMDUzMCwgU3VtaXQgR2FyZyB3cm90 ZToKPiBPbiBXZWQsIDIwIEphbiAyMDIxIGF0IDA3OjAxLCBKYXJra28gU2Fra2luZW4gPGphcmtr b0BrZXJuZWwub3JnPiB3cm90ZToKPiA+Cj4gPiBPbiBUdWUsIEphbiAxOSwgMjAyMSBhdCAxMjoz MDo0MlBNICswMjAwLCBKYXJra28gU2Fra2luZW4gd3JvdGU6Cj4gPiA+IE9uIEZyaSwgSmFuIDE1 LCAyMDIxIGF0IDExOjMyOjMxQU0gKzA1MzAsIFN1bWl0IEdhcmcgd3JvdGU6Cj4gPiA+ID4gT24g VGh1LCAxNCBKYW4gMjAyMSBhdCAwNzozNSwgSmFya2tvIFNha2tpbmVuIDxqYXJra29Aa2VybmVs Lm9yZz4gd3JvdGU6Cj4gPiA+ID4gPgo+ID4gPiA+ID4gT24gV2VkLCBKYW4gMTMsIDIwMjEgYXQg MDQ6NDc6MDBQTSArMDUzMCwgU3VtaXQgR2FyZyB3cm90ZToKPiA+ID4gPiA+ID4gSGkgSmFya2tv LAo+ID4gPiA+ID4gPgo+ID4gPiA+ID4gPiBPbiBNb24sIDExIEphbiAyMDIxIGF0IDIyOjA1LCBK YXJra28gU2Fra2luZW4gPGphcmtrb0BrZXJuZWwub3JnPiB3cm90ZToKPiA+ID4gPiA+ID4gPgo+ ID4gPiA+ID4gPiA+IE9uIFR1ZSwgTm92IDAzLCAyMDIwIGF0IDA5OjMxOjQ0UE0gKzA1MzAsIFN1 bWl0IEdhcmcgd3JvdGU6Cj4gPiA+ID4gPiA+ID4gPiBBZGQgc3VwcG9ydCBmb3IgVEVFIGJhc2Vk IHRydXN0ZWQga2V5cyB3aGVyZSBURUUgcHJvdmlkZXMgdGhlIGZ1bmN0aW9uYWxpdHkKPiA+ID4g PiA+ID4gPiA+IHRvIHNlYWwgYW5kIHVuc2VhbCB0cnVzdGVkIGtleXMgdXNpbmcgaGFyZHdhcmUg dW5pcXVlIGtleS4KPiA+ID4gPiA+ID4gPiA+Cj4gPiA+ID4gPiA+ID4gPiBSZWZlciB0byBEb2N1 bWVudGF0aW9uL3RlZS50eHQgZm9yIGRldGFpbGVkIGluZm9ybWF0aW9uIGFib3V0IFRFRS4KPiA+ ID4gPiA+ID4gPiA+Cj4gPiA+ID4gPiA+ID4gPiBTaWduZWQtb2ZmLWJ5OiBTdW1pdCBHYXJnIDxz dW1pdC5nYXJnQGxpbmFyby5vcmc+Cj4gPiA+ID4gPiA+ID4KPiA+ID4gPiA+ID4gPiBJIGhhdmVu J3QgeWV0IGdvdCBRRU1VIGVudmlyb25tZW50IHdvcmtpbmcgd2l0aCBhYXJjaDY0LCB0aGlzIHBy b2R1Y2VzCj4gPiA+ID4gPiA+ID4ganVzdCBhIGJsYW5rIHNjcmVlbjoKPiA+ID4gPiA+ID4gPgo+ ID4gPiA+ID4gPiA+IC4vb3V0cHV0L2hvc3QvdXNyL2Jpbi9xZW11LXN5c3RlbS1hYXJjaDY0IC1N IHZpcnQgLWNwdSBjb3J0ZXgtYTUzIC1zbXAgMSAta2VybmVsIG91dHB1dC9pbWFnZXMvSW1hZ2Ug LWluaXRyZCBvdXRwdXQvaW1hZ2VzL3Jvb3Rmcy5jcGlvIC1zZXJpYWwgc3RkaW8KPiA+ID4gPiA+ ID4gPgo+ID4gPiA+ID4gPiA+IE15IEJ1aWxkUm9vdCBmb3JrIGZvciBUUE0gYW5kIGtleXJpbmcg dGVzdGluZyBpcyBsb2NhdGVkIG92ZXIgaGVyZToKPiA+ID4gPiA+ID4gPgo+ID4gPiA+ID4gPiA+ IGh0dHBzOi8vZ2l0Lmtlcm5lbC5vcmcvcHViL3NjbS9saW51eC9rZXJuZWwvZ2l0L2phcmtrby9i dWlsZHJvb3QtdHBtZGQuZ2l0Lwo+ID4gPiA+ID4gPiA+Cj4gPiA+ID4gPiA+ID4gVGhlICJBUk0g dmVyc2lvbiIgaXMgYXQgdGhpcyBwb2ludCBpbiBhYXJjaDY0IGJyYW5jaC4gT3ZlciB0aW1lIEkg d2lsbAo+ID4gPiA+ID4gPiA+IGRlZmluZSB0cG1kZC14ODZfNjQgYW5kIHRwbWRkLWFhcmNoNjQg Ym9hcmRzIGFuZCBldmVyeXRoaW5nIHdpbGwgYmUgdGhlbgo+ID4gPiA+ID4gPiA+IGluIHRoZSBt YXN0ZXIgYnJhbmNoLgo+ID4gPiA+ID4gPiA+Cj4gPiA+ID4gPiA+ID4gVG8gY3JlYXRlIGlkZW50 aWNhbCBpbWFnZXMgeW91IGp1c3QgbmVlZCB0bwo+ID4gPiA+ID4gPiA+Cj4gPiA+ID4gPiA+ID4g JCBtYWtlIHRwbWRkX2RlZmNvbmZpZyAmJiBtYWtlCj4gPiA+ID4gPiA+ID4KPiA+ID4gPiA+ID4g PiBDYW4geW91IGNoZWNrIGlmIHlvdSBzZWUgYW55dGhpbmcgb2J2aW91c2x5IHdyb25nPyBJJ20g ZWFnZXIgdG8gdGVzdCB0aGlzCj4gPiA+ID4gPiA+ID4gcGF0Y2ggc2V0LCBhbmQgaW4gYmlnZ2Vy IHBpY3R1cmUgSSByZWFsbHkgbmVlZCB0byBoYXZlIHJlYWR5IHRvIHJ1bgo+ID4gPiA+ID4gPiA+ IGFhcmNoNjQgZW52aXJvbm1lbnQgYXZhaWxhYmxlLgo+ID4gPiA+ID4gPgo+ID4gPiA+ID4gPiBJ IHdvdWxkIHJhdGhlciBzdWdnZXN0IHlvdSB0byBmb2xsb3cgc3RlcHMgbGlzdGVkIGhlcmUgWzFd IGFzIHRvIHRlc3QKPiA+ID4gPiA+ID4gdGhpcyBmZWF0dXJlIG9uIFFlbXUgYWFyY2g2NCB3ZSBu ZWVkIHRvIGJ1aWxkIGZpcm13YXJlcyBzdWNoIGFzIFRGLUEsCj4gPiA+ID4gPiA+IE9QLVRFRSwg VUVGSSBldGMuIHdoaWNoIGFyZSBhbGwgaW50ZWdyYXRlZCBpbnRvIE9QLVRFRSBRZW11IGJ1aWxk Cj4gPiA+ID4gPiA+IHN5c3RlbSBbMl0uIEFuZCB0aGVuIGl0IHdvdWxkIGJlIGVhc2llciB0byBt aWdyYXRlIHRoZW0gdG8geW91cgo+ID4gPiA+ID4gPiBidWlsZHJvb3QgZW52aXJvbm1lbnQgYXMg d2VsbC4KPiA+ID4gPiA+ID4KPiA+ID4gPiA+ID4gWzFdIGh0dHBzOi8vbGlzdHMudHJ1c3RlZGZp cm13YXJlLm9yZy9waXBlcm1haWwvb3AtdGVlLzIwMjAtTWF5LzAwMDAyNy5odG1sCj4gPiA+ID4g PiA+IFsyXSBodHRwczovL29wdGVlLnJlYWR0aGVkb2NzLmlvL2VuL2xhdGVzdC9idWlsZGluZy9k ZXZpY2VzL3FlbXUuaHRtbCNxZW11LXY4Cj4gPiA+ID4gPiA+Cj4gPiA+ID4gPiA+IC1TdW1pdAo+ ID4gPiA+ID4KPiA+ID4gPiA+IENhbiB5b3UgcHJvdmlkZSAna2V5Y3RsX2NoYW5nZSc/IE90aGVy d2lzZSwgdGhlIHN0ZXBzIGFyZSBlYXN5IHRvIGZvbGxvdy4KPiA+ID4gPiA+Cj4gPiA+ID4KPiA+ ID4gPiAkIGNhdCBrZXljdGxfY2hhbmdlCj4gPiA+ID4gZGlmZiAtLWdpdCBhL2NvbW1vbi5tayBi L2NvbW1vbi5tawo+ID4gPiA+IGluZGV4IGFlYjdiNDEuLjY2M2U1MjggMTAwNjQ0Cj4gPiA+ID4g LS0tIGEvY29tbW9uLm1rCj4gPiA+ID4gKysrIGIvY29tbW9uLm1rCj4gPiA+ID4gQEAgLTIyOSw2 ICsyMjksNyBAQCBCUjJfUEFDS0FHRV9PUFRFRV9URVNUX1NESyA/PSAkKE9QVEVFX09TX1RBX0RF Vl9LSVRfRElSKQo+ID4gPiA+ICBCUjJfUEFDS0FHRV9PUFRFRV9URVNUX1NJVEUgPz0gJChPUFRF RV9URVNUX1BBVEgpCj4gPiA+ID4gIEJSMl9QQUNLQUdFX1NUUkFDRSA/PSB5Cj4gPiA+ID4gIEJS Ml9UQVJHRVRfR0VORVJJQ19HRVRUWV9QT1JUID89ICQoaWYKPiA+ID4gPiAkKENGR19OV19DT05T T0xFX1VBUlQpLHR0eUFNQSQoQ0ZHX05XX0NPTlNPTEVfVUFSVCksdHR5QU1BMCkKPiA+ID4gPiAr QlIyX1BBQ0tBR0VfS0VZVVRJTFMgOj0geQo+ID4gPiA+Cj4gPiA+ID4gICMgQWxsIEJSMl8qIHZh cmlhYmxlcyBmcm9tIHRoZSBtYWtlZmlsZSBvciB0aGUgZW52aXJvbm1lbnQgYXJlIGFwcGVuZGVk IHRvCj4gPiA+ID4gICMgLi4vb3V0LWJyL2V4dHJhLmNvbmYuIEFsbCB2YWx1ZXMgYXJlIHF1b3Rl ZCAiLi4uIiBleGNlcHQgeSBhbmQgbi4KPiA+ID4gPiBkaWZmIC0tZ2l0IGEva2NvbmZpZ3MvcWVt dS5jb25mIGIva2NvbmZpZ3MvcWVtdS5jb25mCj4gPiA+ID4gaW5kZXggMzY4YzE4YS4uODMyYWI3 NCAxMDA2NDQKPiA+ID4gPiAtLS0gYS9rY29uZmlncy9xZW11LmNvbmYKPiA+ID4gPiArKysgYi9r Y29uZmlncy9xZW11LmNvbmYKPiA+ID4gPiBAQCAtMjAsMyArMjAsNSBAQCBDT05GSUdfOVBfRlM9 eQo+ID4gPiA+ICBDT05GSUdfOVBfRlNfUE9TSVhfQUNMPXkKPiA+ID4gPiAgQ09ORklHX0hXX1JB TkRPTT15Cj4gPiA+ID4gIENPTkZJR19IV19SQU5ET01fVklSVElPPXkKPiA+ID4gPiArQ09ORklH X1RSVVNURURfS0VZUz15Cj4gPiA+ID4gK0NPTkZJR19FTkNSWVBURURfS0VZUz15Cj4gPiA+ID4K PiA+ID4gPiA+IEFmdGVyIEkndmUgc3VjY2Vzc2Z1bGx5IHRlc3RlZCAyLzQsIEknZCBzdWdnZXN0 IHRoYXQgeW91IHJvbGwgb3V0IG9uZSBtb3JlCj4gPiA+ID4gPiB2ZXJzaW9uIGFuZCBDQyB0aGUg ZG9jdW1lbnRhdGlvbiBwYXRjaCB0byBFbGFpbmUgYW5kIE1pbmksIGFuZCBjbGVhcmx5Cj4gPiA+ ID4gPiByZW1hcmsgaW4gdGhlIGNvbW1pdCBtZXNzYWdlIHRoYXQgVEVFIGlzIGEgc3RhbmRhcmQs IHdpdGggYSBsaW5rIHRvIHRoZQo+ID4gPiA+ID4gc3BlY2lmaWNhdGlvbi4KPiA+ID4gPiA+Cj4g PiA+ID4KPiA+ID4gPiBTdXJlLCBJIHdpbGwgcm9sbCBvdXQgdGhlIG5leHQgdmVyc2lvbiBhZnRl ciB5b3VyIHRlc3RpbmcuCj4gPiA+Cj4gPiA+IFRoYW5rcywgSSdsbCB0cnkgdGhpcyBhdCBpbnN0 YW50LCBhbmQgZ2l2ZSBteSBmZWVkYmFjay4KPiA+Cj4gPiBJIGJ1bXAgaW50byB0aGlzOgo+ID4K PiA+ICQgbWFrZSBydW4tb25seQo+ID4gbG4gLXNmIC9ob21lL2phcmtrby9kZXZlbC90cG0vb3B0 ZWUvYnVpbGQvLi4vb3V0LWJyL2ltYWdlcy9yb290ZnMuY3Bpby5neiAvaG9tZS9qYXJra28vZGV2 ZWwvdHBtL29wdGVlL2J1aWxkLy4uL291dC9iaW4vCj4gPiBsbjogZmFpbGVkIHRvIGNyZWF0ZSBz eW1ib2xpYyBsaW5rICcvaG9tZS9qYXJra28vZGV2ZWwvdHBtL29wdGVlL2J1aWxkLy4uL291dC9i aW4vJzogTm8gc3VjaCBmaWxlIG9yIGRpcmVjdG9yeQo+ID4gbWFrZTogKioqIFtNYWtlZmlsZTox OTQ6IHJ1bi1vbmx5XSBFcnJvciAxCj4gPgo+IAo+IENvdWxkIHlvdSBjaGVjayBpZiB0aGUgZm9s bG93aW5nIGRpcmVjdG9yeSB0cmVlIGlzIGJ1aWx0IGFmdGVyCj4gZXhlY3V0aW5nIHRoZSBiZWxv dyBjb21tYW5kPwo+IAo+ICQgbWFrZSAtamBucHJvY2AKPiBDRkdfSU5fVFJFRV9FQVJMWV9UQVM9 dHJ1c3RlZF9rZXlzL2YwNGEwZmU3LTFmNWQtNGI5Yi1hYmY3LTYxOWI4NWI0Y2U4Ywo+IAo+ICQg dHJlZSBvdXQvYmluLwo+IG91dC9iaW4vCj4g4pSc4pSA4pSAIGJsMS5iaW4gLT4gL2hvbWUvc3Vt aXQvYnVpbGQvb3B0ZWUvYnVpbGQvLi4vdHJ1c3RlZC1maXJtd2FyZS1hL2J1aWxkL3FlbXUvcmVs ZWFzZS9ibDEuYmluCj4g4pSc4pSA4pSAIGJsMi5iaW4gLT4gL2hvbWUvc3VtaXQvYnVpbGQvb3B0 ZWUvYnVpbGQvLi4vdHJ1c3RlZC1maXJtd2FyZS1hL2J1aWxkL3FlbXUvcmVsZWFzZS9ibDIuYmlu Cj4g4pSc4pSA4pSAIGJsMzEuYmluIC0+Cj4gL2hvbWUvc3VtaXQvYnVpbGQvb3B0ZWUvYnVpbGQv Li4vdHJ1c3RlZC1maXJtd2FyZS1hL2J1aWxkL3FlbXUvcmVsZWFzZS9ibDMxLmJpbgo+IOKUnOKU gOKUgCBibDMyLmJpbiAtPgo+IC9ob21lL3N1bWl0L2J1aWxkL29wdGVlL2J1aWxkLy4uL29wdGVl X29zL291dC9hcm0vY29yZS90ZWUtaGVhZGVyX3YyLmJpbgo+IOKUnOKUgOKUgCBibDMyX2V4dHJh MS5iaW4gLT4KPiAvaG9tZS9zdW1pdC9idWlsZC9vcHRlZS9idWlsZC8uLi9vcHRlZV9vcy9vdXQv YXJtL2NvcmUvdGVlLXBhZ2VyX3YyLmJpbgo+IOKUnOKUgOKUgCBibDMyX2V4dHJhMi5iaW4gLT4K PiAvaG9tZS9zdW1pdC9idWlsZC9vcHRlZS9idWlsZC8uLi9vcHRlZV9vcy9vdXQvYXJtL2NvcmUv dGVlLXBhZ2VhYmxlX3YyLmJpbgo+IOKUnOKUgOKUgCBibDMzLmJpbiAtPgo+IC9ob21lL3N1bWl0 L2J1aWxkL29wdGVlL2J1aWxkLy4uL2VkazIvQnVpbGQvQXJtVmlydFFlbXVLZXJuZWwtQUFSQ0g2 NC9SRUxFQVNFX0dDQzQ5L0ZWL1FFTVVfRUZJLmZkCj4g4pSc4pSA4pSAIEltYWdlIC0+IC9ob21l L3N1bWl0L2J1aWxkL29wdGVlL2J1aWxkLy4uL2xpbnV4L2FyY2gvYXJtNjQvYm9vdC9JbWFnZQo+ IOKUlOKUgOKUgCByb290ZnMuY3Bpby5neiAtPgo+IC9ob21lL3N1bWl0L2J1aWxkL29wdGVlL2J1 aWxkLy4uL291dC1ici9pbWFnZXMvcm9vdGZzLmNwaW8uZ3oKPiAKPiAwIGRpcmVjdG9yaWVzLCA5 IGZpbGVzCj4gCj4gLVN1bWl0CgpJIGFjdHVhbGx5IHNwb3R0ZWQgYSBidWlsZCBlcnJvciB0aGF0 IHdhcyB1bm5vdGljZWQgbGFzdCB0aW1lOgoKbWFrZVsyXTogRW50ZXJpbmcgZGlyZWN0b3J5ICcv aG9tZS9qYXJra28vZGV2ZWwvdHBtL29wdGVlL2VkazIvQmFzZVRvb2xzL1Rlc3RzJwovYmluL3No OiAxOiBweXRob246IG5vdCBmb3VuZAoKSSdkIHByZWZlciBub3QgdG8gaW5zdGFsbCBQeXRob24y LiBJdCBoYXMgYmVlbiBFT0wgb3ZlciBhIHllYXIuCgovSmFya2tvCgpfX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXwpsaW51eC1hcm0ta2VybmVsIG1haWxpbmcg bGlzdApsaW51eC1hcm0ta2VybmVsQGxpc3RzLmluZnJhZGVhZC5vcmcKaHR0cDovL2xpc3RzLmlu ZnJhZGVhZC5vcmcvbWFpbG1hbi9saXN0aW5mby9saW51eC1hcm0ta2VybmVsCg==